If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How do you clean an infected machine.

I'm asking this question to understand what do "you" do to cleanup an infected machine?

Considering the OS is Windows 2000 and above.

To start:

What do you believe in (ONLY WORKSTATION, NOT TALKING ABOUT CRITICAL SYSTEMS AND SERVERS. I'm only sticking to end user systems. These systems will never house critical data)

1. Clean the machine and continue using it?

Or

2. Reghost or rebuild the machine.

Consider the fact that you have around 5000 machines spread across the country, served by third party tech team with NO SLA set.

And

Scenario 2: Consider only 2 or 3 workstation.. Thatís it.. However would you still clean it ?

I am also trying to get ideas so that I can write a cleanup guide for the community.

Here is what I usually do:

If it is a local machine :

1. Ensure system restore is OFF.

2. We use a BartPE cd with Kaspersky on it. This CD gets updated every morning. This is used to clean the machine. (For those who have never used Kaspersky on BartPE - it is same as complete AV suite with all features).

3. Just to be sure, we reboot in safe mode and use trend micro's sysclean with latest pattern file.

4. Use anti-rootkit by Trendmicro and f-secure.

5. Post cleanup machine is checked with sigverif and checked for any rouge services.

6. Use NSS by Symantec but this is not usually done.

7. Depending on what we found system may be rebuilt - incase of rootkits or trojans.

8. Change passwords and other credentials for the user.

Machine is patched if not already patched. Security logs are browsed through to see if it was an intrusion or just an automated piece of code that made through *due to unpatched machines*

Scenario 2 :

If it is a remote machine(none of our remote machines have CD/DVD ROMíS):

Same steps except using BartPE CD.

We use sysclean and pattern files, sent over netmeeting.

****

My personal opinion is never use an infected system because you never know the extent of damage. However this is not feasible in a domain environment where machines are spread across the country and ghosting is not possible every time.

Like I said I want to make a tutorial on how to clean an infected machine, so if you have any points please let me know.

I know IE or Firefox (browsers) can be used for scanning but then at that point of time machine is in normal mode and I prefer cleaning a machine in safe mode or through bootcd.

I know IE or Firefox (browsers) can be used for scanning but then at that point of time machine is in normal mode and I prefer cleaning a machine in safe mode or through bootcd.

Well you could try safe mode with network connectivity?

Trio of questions:

1. Do these remote machines have WAN and/or internet connectivity?
2. Do they have activated USB ports?
3. Are they a standard software build (apart from versions)?

The first thing I do is run CCleaner in safe mode. That gets rid of most of the temporary garbage and some malware with it.

I don't place too much reliance on traditional AV products. Try others as well, like A-Squared, Spybot S&D and so forth. They are better at catching the less obvious malware.

If I am dealing with a large number of machines I tend to go for the re-imaging/rebuilding route due to the time and cost factors that a cleanup may involve. It is also more certain in its outcome.

I guess a lot also depends on what the infection is and what it does. Some nasties need special tools to clean them. If the machine has been "owned"
I would generally go for a reinstall, on the grounds that you never know what else might have been put on there.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?